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DIGITAL M ESSAGE ENCRYPTION AND AUTHENTICATION 



This invention relates to a method by which a first computing entity signs and 
encrypts a message data string, m, a method of signing and encrypting a message data 
string, m, a computing entity programmed to be capable of carrying out the computer 
implemented steps of such a first computing entity and a computer storage medium 
having stored thereon a computer program readable by a general-purpose computer, 
the computer program including instructions for said general purpose computer to 
configure it to be as such a computing entity 

References in square brackets are to the articles listed at Appendix A of this 
description. 

Signcryption is a novel public key primitive first proposed by Zheng in 1997 [14] and 
as described in US-B-6,396,928. A signcryption scheme combines the functionality 
of a digital signature scheme with that of an encryption scheme. It therefore offers the 
three services: privacy, authenticity and non-repudiation. Since these services are 
frequently required simultaneously, Zheng proposed signcryption as a means to offer 
them in a more efficient manner that a straightforward composition of digital 
signature scheme and encryption scheme. 

It is only recently that research has been done on defining security for signcryption 
and providing security arguments for schemes [2,3]. In [3] a scheme similar to the 
original one proposed in [14] is analysed. The model in [2] is slightly different: it 
aims to analyse any primitive that achieves the combined functionalility of signature 
and encryption. 

The present invention relates to provably secure signcryption scheme and, in 
particular, a signcryption scheme based on the RSA trapdoor one-way function. 



The present invention in a first aspect is a method by which a first computing entity 
having an RSA key pair (N^), (N^oa) digitally signs and encrypts a message data 
string, m, for decryption by a second computing entity having an RSA key pair (N B , 
e B ), (N B , d B ), where |N A | = |N B | = n and m e {0, 1}" , and k = n + ko + k, for integers k 0 
and k\ even, the method comprising: 

a) selecting an integer r g {0, 1}*" , 

b) forming the hash co = H(m || r) where H : {0, l}"** 0 -» {0, l}* 1 , and 

c) forming the hash s = G(co) © (m \\ r) where G:{0,1}*' ^{0,l} n+i °; steps a) 
to c) being repeated as necessary to obtain s \\ a> <: Na ; and then 

d) signing by forming c ' = (s || co) d * mod N A ; and, if c ' > N B , 
removing the most significant bit of c' to obtain a new c'; and then 

e) encrypting c' by forming c = c''* mod N„ . 



In an alternative scheme of the method of the present invention, a first computing 
entity having an RSA key pair (N A ,e A ), (NA,d A ) digitally signs and encrypts a message 
data string, m, for decryption by a second computing entity having an RSA key pair 
(N B , e B ), (N B , d B ), where (N A | = |N B | = n and {0,1}", and * = n + ko + h for 
integers ko and k u the method comprising: 

a) selecting an integer r e {0,1}*° , 

b) forming the hash co = H(m || r) where H : {0, -> (0, 1}^ , and 

c) forming the hash s = G(co)@(m \\r) where G:{0,1}*> ^{o,l} n+ ^ 5 steps a) 
to c) being repeated as necessary to obtain s \\ co < Na ; and then 

d) signing by forming c' = (s \\a>) a < mod N A , steps a) to d) being repeated as 
necessary to obtain c ' < N B ; and then 

e) encrypting c' by forming c = c' e * modN„ . 



The present invention in a further aspect is a computing entity comprising: 

a data processing equipment 
a memory; and 

a communications equipment, 

said data processing equipment being configured so as to be capable of 
processing data according to a set of instructions stored in said memory: 

said communications equipment configured so as to communicate data 
according to said set of instructions; 

said set of instructions being such as to configure the computing entity to be 
capable of carrying out the computer implemented steps of the first computing entity 
of the methods of the present invention. 

In the method of the present invention r may be selected at random 

The present invention in a further aspect comprises a computer storage medium 
having stored thereon a computer program readable by a general-purpose computer, 
the computer program including instructions for said general purpose computer to 
configure it to be as the computing entity of the present invention. 

An attractive feature of the scheme of the present invention is that if offers non- 
repudiation in a very simple manner. Non-repudiation for signcryption is not a 
straightforward sequence of unforgeability like it is for digital signature schemes. 
The reason for this is that a signcrypted message is "encrypted" as well as "signed". 
Therefore, by default, only the intended receiver of a signcryption may verify its 
authenticity. If a third party is to settle a repudiation dispute over a signcryption, it 
must have access to some information in addition to the signcryption itself. Of course 
the receiver could always surrender its private key but this is clearly unsatisfactory. It 
is often the case that several rounds of zero-knowledge are required. This is not the 
case for schemes according to the present invention. 

The scheme may use a padding scheme similar to PSS [7,8], The PSS padding 
scheme was originally designed to create a provably secure signature algorithm when 
used with RSA [7]. It was subsequently pointed out in [8] that a version of PSS could 



also be combined with RSA to create a provably secure encryption function As 
demonstrated here, this makes PSS padding perfect for RSA based signcryption The 
resulting scheme is very efficient in terms of bandwidth: a signcryption is half the size 
of a message signed and encrypted using, standard techniques for RSA For this 
reason we give it the name of Two Birds One Stone. And will be referred to 
conveniently, as "TBOS" in this application. 

I envisaged that this scheme could be used in an e-commerce scenario such as 
signcrypting a bankcard payment authorization. Here one RSA block suffices and as 
we have discussed, the scheme offers non-repudiation which is clearly desirable for 
such an application. An alternative use could be signcryption of session keys in a key 
transport protocol. 

Embodiments of the present invention will now be described, by way of example 
only, with reference to the accompanying drawings of which: 

Figure 1 is a schematic diagram of a system of co-operating computer entities 
performing the method of the present invention; 

Figure 2 is a schematic diagram of the computing entities of the system of 
Figure 1; 

Figure 3 is a high level description of a first embodiment of the method of the 
present invention; 

Figure 4 is a high level description of a second embodiment of the method of 
the present invention; 

In the following description numerous specific details are set forth in order to provide 
a thorough understanding of the present invention. It will be apparent, however to 
one skilled in the art, that the present invention may be practiced without limitation to 
these specific details. In other instances, well-known methods and structures have not 
been described in detail so as not to unnecessarily obscure the present invention. 

Referring to Figure 1, there is illustrated schematically two computing entities 102, 
104, configured for communicating electronic data with each other over a 
communications network in this case the internet 106, by communicating data 108, 
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1 10, to each other via the internet 106 in well known manner. Illustrated in Figure 1 
is first computing entity 02, herein after referred to as entity A or Alice, a second 
computing entity 104 herein referred to as entity B or Bob. In the example illustrated 
in Figure 1, the first and second computing entities 102 and 104 are geographically 
remote from each other and the communications network comprises the known 
internet 106. In other embodiments and implementations of the present invention the 
communications network could comprise any suitable means of transmitting digitized 
data between the computing entities. For example, a known Ethernet network, local 
area network, wide area network, virtual private circuit or public telecommunications 
network may form the basis of a communications medium between the computing 
entities 102 and 104. 

The computing entities 102 and 104 have been programmed by storing on memories 
203 and 205 programs read from computer program storage media 112 and 1 14, for 
example a CD-ROM. 

Referring now to Figure 2, there is illustrated schematically physical resources and 
logical resources of the computing entities A and B. Each computing entity 
comprises at least one data processing means 200, 202, a memory area 203, 205, a 
communications port 206, 208, for example, a known Unix operating system. One or 
more applications programs 22, 214 are configured for operating for receiving, 
transmitting and performing data processing on electronic data received from other 
computing entities, and transmitted to other computer entities in accordance with 
specific methods of the present invention. Optionally there is a user interface 215, 
217 which may comprise a visual display device, a pointing device, eg. A mouse or 
track-ball device, a keypad, and a printer. 

Under control of the respective application program 212, 214 each of the computing 
entities 102, 104 is configured to operate according to a method of the present 
invention, specific embodiments of which will now be described. 



2 Two Birds Ones Stone (TBOS"> 
2.1 Abstract TBOS 



The cryptosystem of the present invention makes use of what will here be called 
permutation with trapdoors. A permutation with trapdoors/ {0, 1 } k _> {0 , l }* is a 



a 



function that requires some secret, or "trapdoor", information to evaluate and some 
different secret information to invert. In the scheme described below it will be 
assumed that the sender of messages, Alice, knows the secret information necessary to 
^valuate/ and the receiver, Bob, knows the secret information necessary to evaluate 

The scheme may be used to signcrypt messages from {0,1}", where k = n + ko + h for 
integers ko and *, Before/is applied to a message some random padding is applied 
The padding used is similar to PSS [7,8]. We describe how the scheme works below 
Parameters . 

The scheme requires two hash functions 

H : {0, l}" + *° -> {o, if and G : {0, if _> (o, l} n+ *° . 

Signcryption 

For Alice to signcrypt a message m e {o, l}" for Bob: 

2. co<r-H(m\\r) 

3. s<^G(a>)®(m\\r) 

4. c <-f( s \\(o) 

5. Send c to Bob 

Unsigncryption 

For Bob to unsigncrypt a cryptogram c from Alice: 

1. s\\cv^f-\c) 

2. m\\r <^G(co)@s 

3. If H(m\\r) = co accept/w 
Else reject 

As is stands there is no obvious way to provide non-repudiation. We discuss how this 
problem is addressed by the present invention in the next section. 



2.2 RSA-TBOS 



We now show how RSA is used to create something like a permutation with 
trapdoors, as in Section 2.1, for use with TBOS. It is not claimed that the resulting 
function is a permutation. This is not necessary for the proof of security. 

Referring now to Figure 3, there is shown a pseudo-code flow description of the steps 
of an embodiment of the present invention by which a first computing entity, "Alice", 
signcrypts a message,m, for transmittal to a second computing entity, "Bob". 

It is assumed sender Alice has generated an RSA key pair (N^a), (Na,cIa), with 
Na=Pa ■ Qa and \P A \ = \Q A \ = k/2. Here and henceforth k is an even positive integer. A 
receiver Bob is assumed to have done likewise giving him an RSA key pair (Nb^bX 
(Ns,d B ), G and H are as described above. Here, if a bit string a\\j3 represents an 
integer, then a represents the most significant bits of that integer. 

Signcryption 

For Alice to signcrypt a message m e (0, l} n for Bob: 

1 . r <-^— {0, l}* 0 7. c c "* mod N B 

2. co <r- H(m || r) 8. Send to Bob 

3. s<-G(a>)®(m\\r) 

4. If s\\a> > N A goto 1 

5. c % <r-(s\\G)) dA modN A 

6. If c*>N B ,c % <^c'-2 k ~' 

Unsigncryption 

For Bob to unsigncrypt a cryptogram c from Alice: 
1. c l <-c d * mo&N B 



2. If c'>N A , reject 

3. /i<-c' eA modN A 

4. Parse as s\\a> 

5. <-G(o))©j 

6. If H(m\\r) = a>, return w 

7. C '<^c'+2 k - x 

8. If C>N A , reject 

9. fi<r-c" A modN A 

10. Parse as* ||o 

11. /w||r<-G(o)©j 

12. If co*H(m || r), reject 

13. Return m 

The point of step 6 in signcryption is to ensure that c'<N B . If c' initially fails this 
test then we have N A > c' > N B . Since both and N B have ^-bits we infer that c' also 
has ^-bits and so the assignment c'<-c'-2*- 1 is equivalent to removing the most 
significant bit of c\ This gives us c' < N B as required. Note that this step may cause 
an additional step in unsigncryption. In particular it may be necessary to perform 
c ,e -modA^ twice (the two c's will differ by 2*' 1 ). It would have been possible to 
define an alternative scheme under which the trial and error occurs in signcryption. 
This would mean repeating steps 1-5 in signcryption with different values of r until 
c ' < Nb is obtained. 

Non-repudiation is very simple for RSA-TBOS. The receiver of a signcryption 
follows the unisgncryption procedure up until stage 2, c' may then be given to a third 
party who can verify its validity. 



3 Security Notions for Signcryption Schemes 
3.1 IND-CCA2 for Signcryption Schemes 

We take as our starting point the standard definition of indistinguishability of 
encryptions under adaptive chosen ciphertext attack (IND-CCA2) for public key 
encryption schemes [1,4, 5, 10, 11]. A public key encryption scheme enjoys IND- 
CCA2 security if it is not possible for an adversary to distinguish the encryptions 
of two messages of its choice under a particular public key, even when it has 
access to a decryption oracle for this public key. The adversary is able to query 
the decryption oracle before choosing its two messages and its queries may be 
determined given information gleaned from previous queries. The adversary is 
then given the challenge ciphertext i.e. the encryption under the public key in 
question of one of the two messages chosen at random. It is allowed to continue 
to query the decryption oracle subject to the condition that it does not query 
the challenge ciphertext itself. The adversary wins if it correctly guesses which 
of the two messages was encrypted. 

In our definition of IND-CCA2 security for signcryption we allow the adver- 
sary access to an unsigncryption oracle for the target receiver's key in a similar 
manner to that described above for encryption schemes. The difference here is 
that an oracle for the target receiver's unsigncryption algorithm must be denned 
with respect to some sender's public key. We therefore consider an attack on two 
users: a sender and a receiver. 

In the case of public key encryption schemes the adversary is able to encrypt 
any messages that it likes under the public key that it is attacking. This is not the 
case for signcryption schemes. The private key of the target sender is required 
in signcryption and so the adversary is not able to produce signcryptions on its 
own. We must therefore provide the adversary with a signcryption oracle for the 
keys of the target sender and the target receiver. For an encryption scheme the 
adversary is able to use its own choice of randomness to generate encryptions, we 
therefore allow the adversary to choose the randomness used by the signcryption 
oracle, except for challenge ciphertext generation. 

We give a more concrete description of the attack below. 

Setup 

Using the global systems parameters two private/public key pairs (xa,Ya) and 
{xb,Yb) are generated for a target sender/receiver respectively. 

Find 

The adversary is given Ya and Yb, it is also given access to two oracles: a 
signcryption oracle for Y A ,Y B and an unsigncryption oracle for Ya>Yb- The 
adversary is allowed to choose the random input as well as the message for the 
signcryption oracle. At the end of this phase the adversary outputs two messages 
m 0 and mi with |mo| = \m\ |. 

Challenge 

A bit 6 is chosen uniformly at random. The message m6 is signcrypted under 
Ya , Yb to produce c* which is given to the adversary. 



Guess C 

The adversary may continue to query its oracles subject to the condition that 
it does not query its unsigncryption oracle with c*. At the end of this phase the 
adversary outputs a bit The adversary wins if b f = 6. 

If A is an adversary as described above we define its advantage as: 

Adv(X) = \2 ..Pr[6' = b] - 1|. 

We say that a signcryption scheme is IND-CCA2 secure if the advantage of any 
polynomial-time adversary is a negligible 1 function of the security parameter of 
the scheme. 

3.2 Unforgeability of Signcryption Schemes 

We adapt the definition of existential unforgeability under adaptive chosen mes- 
sage attack [13] for signature schemes to the signcryption setting. 

When using a signature scheme, the only private key used in signature gener- 
ation belongs to the sender. An adversary can therefore be anyone, since there is 
no difference in the ability to forge signatures between a receiver of signed mes- 
sages and a third party. For a signcryption scheme however, signature generation 
uses the receiver's public key as well as the sender's keys. In this instance there 
may be a difference in the ability to forge signcryptions between the receiver 
and a third party, since only the receiver knows the private key corresponding to 
its public key. With the above in mind we assume that an adversary has access 
to the private key of the receiver as well as the public key of the sender. It can 
therefore perform unsigncryption itself. 

We allow an adversary to query a signcryption oracle for the target sender's 
private key. This oracle takes as input a message, and an arbitrary public key 
chosen by the adversary. The oracle returns the signcryption of the message 
under the target sender's key and the key chosen by the adversary. 

We say that the adversary wins if it produces a valid forged signcryption on 
some message under the target sender's public key. This message must not have 
been queried to the signcryption oracle during the attack. 

If A is an adversary as described above we define its advantage as: 

Adv(.4) = Pr[^4 wins]. 

We say that a signcryption scheme is existentially unforgeable under adaptive 
chosen message attack if the advantage of any polynomial-time adversary is a 
negligible function of the security parameter of the scheme. 

4 IND-CCA2 Security of TBOS 
4.1 The Underlying Hard Problem 

If the secret information necessary to evaluate a permutation with trapdoors / 
is made public, then / becomes a standard trapdoor one-way permutation. We 

1 A function e(k) is negligible if for every c there exists a k c such that e(k) < k~ c for 
all k > k c . 
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call this the induced trapdoor one-way permutation of /. First of all we consider 
the security of TBOS under the partial-domain one-wayness [12] of the induced 
trapdoor one-way permutation of /. Let us first state formally the definitions 
that we will use. Below / will be a trapdoor one-way permutation. 

Definition 1 (One-wayness). The function f is (t, e) -partial domain one-way 
if the success probability of any adversary A wishing to recover the preimage of 
/(s||cj) in time less than t is upper bounded by e. We state this as: 

Adv?" (A) < Pr[A(f(s\\u>)) = s|M < e . 

* S ,U) 

For any f we denote the maximum value of Adv°f W (A) over all adversaries run- 
ning for time t as Adv^ w (t) . 

Definition 2 (Partial-domain one-wayness). The function f is (£, c)-partial 
domain one-way if the success probability of any adversary A wishing to recover 
the partial preimage of f(s\\uj) in time less than t is upper bounded by e. We 
state this as: 

Adv* d -™04) < Pi[A(f(s\\u>)) = cj] < e. 

J s,u> 

For any f we denote the maximum value of Advf-^iA) over all adversaries 
running for time t as Ad\f d ~ ow {t). 

Definition 3 (Set partial-domain one-wayness). The function f is (Z,t, e)- 
set partial domain one-way if the success probability of any adversary A wishing 
to output a set of I elements which contains the partial preimage of f{s\\u) in 
time less than t is upper bounded by e. We state this as: 

Adv*- pd -° w (A) < Pt[u> € ^(/(s||^))] < e. 

J S,U) 

For any f and I we denote the maximum value of Adv S j~ pd ~ ow (A) over all ad- 
versaries running for time t as Adv^~ pd ~ ow (l,t). 

Suppose that an adversary is given c and successfully returns a set of / elements 
of which one is a? such that /(s||u;) = c for some s. It is now possible to break the 
partial-domain one-wayness of / by selecting one of these elements at random. 
This tells us that 

Ad^/- ow (t) > Mv s f pd - ow {l, t)/L (1) 
4.2 IND-CCA2 Security of Abstract TBOS 

Theorem 1. Let A be an adversary using a CCA 2 attack to break TBOS (as 
defined in Section 2.1). Suppose that A has advantage e after running for time 
t } making at most q g) qn, q s and q u queries to G, H, the signcryption oracle and 
the unsigncryption oracle respectively. Suppose that TBOS is implemented with 



k-bit permutation with trapdoors f and let f be the induced trapdoor one-way 
permutation off. We have the following 

where t' = t g - (q g + q h + g s ) + t h . + ^) + tjj . fc + tu . ^ ^ ^ the Ume taken 
to simulate the random oracle G (in the proof of Lemma 1 below) andt h ,t s and 
t u are defined analogously. 

This follows from (1) and the following lemma. 

Lemma 1. Using the notation of Theorem 1 we have 

Adv*f* d -™{ qg + qh + Qsi t >) > e - 2~ k ° ■ (q h + g 5 ) - 2"*> - 

Proof. We will show how the adversary A may be used to break the set-partial 
domain one-wayness of /' by finding the partial preimage of c* chosen at ran- 
dom from the range of /'. Note that the adversary does not know the secret 
information necessary to evaluate /. The proof is similar to the corresponding 
proof in [8]. 

We will consider an attack on two users Alice, the target sender who knows 
how to evaluate /, and Bob, the target receiver who knows how to evaluate 
We run adversary A on input of all universal public parameters and the public 
keys of Alice and Bob. It is necessary to show how to respond to .4's queries to 
the random oracles G and H and the signcryption/unsigncryption oracles. We 
denote the algorithms to do this as G sirni H aim , S sirn and U sirn respectively and 
we describe them below. To make our simulations sound we keep two lists, L G 
and L H that are initially empty. The list L G will consist of query/response pairs 
to the random oracle G. The list L H will do the same for H. It will also store 
some extra information as described in H sim below. At the end of the simulation 
we hope to find the partial preimage of c* among the queries in L G . 

G sim(") H S im(m\\r) 

If (v, x) € L G for some x: If (m||r, a;, c) 6 L H for some u: 

Return x Return u 

Else: E i S e: 

*^{0,l}*+*o u,^{0,l}*o 

Add (u, x) to L G x <- G sirn (lj) 

Return a; s x @ (m\\r) 

Add (m||r,cj,/(s||o;)) to Lh 
Return to 

S S im(m\\r) U sim (c) 

Run H sirn {m\\r) If ( m || r , cj i c)eL H for some m: 

Search L H for entry (m||r,o;,c) Return m 

Return c Else reject 
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Note that in i? S im above we assume that each query has form m\\r. All this 
means is each query has length n -\- ko bits and so may be parsed as m\\r where 
m has n bits and r has ko bits. We make this assumption because, in the random 
oracle model, it would not help A to make queries of length different from n+fco- 

We also allow A to make queries of the form m\\r to S S i m i.e. we allow A 
to provide its own random input. This is consistent with a CCA2 attack on an 
encryption scheme such as RSA-PSS where an adversary can encrypt messages 
itself using its own random input. 

At the end of the find stage A outputs mo and mi . We choose a bit 6 uniformly 
at random and supply the adversary with c* as the signcryption of m^. Suppose 
c* = /(s*||u;*), this places the following constraints on the random oracles G 
and if: 

H(m b \\r*) = and G{u>*) -5*0 (m b \\r*). (2) 

We denote by AskG the event that during .A's attack uj* has ended up in Lg- 
We denote by AskH the event the query m\\r* has ended up in Lh for some m. 

If u>* £ Lei then G(co*) is undefined and so r* is a uniformly distributed 
random variable. Therefore the probability that there exists an m such that 
m\\r* € L H is at most 2~ k ° -(^+93). This tells us that 

Pr[AskHhAskG] < 2"^° • (q h + q s ). (3) 

Our simulation l/ 5 i m can only fail if it outputs reject when it is presented with a 
valid ciphertext. We denote this event UBad. Suppose that U 3 im is queried with 
c = f(s\\u>) and let = G(w) © s. 

We may mistakenly reject a valid ciphertext if H(m\\r) = oj, while m\\r is not 
in Lh- Suppose that this query occurs before c* is given to A then, since m\\r is 
not in Lhi H(m\\r) will take its value at random. If this query is made after c* 
is given to A then c ^ c* means that (m, r) ^ (mfc,r*) and so (2) is irrelevant. 
In either case H(m\\r) may take its value at random which means that 

Pr[UBad] < 2~ fcl ■ q u . (4) 

Let us define the event Bad as 

Bad = AskG V AskH V UBad. (5) 

Let us denote the event that the adversary wins, i.e. it outputs 6' such that 
b' = 6, by S. In the event ->Bad the bit b is independent of our simulations, and 
therefore independent of the adversaries view. We infer from this that 

Pr[ShBad] = \. (6) 

Also, in the event ->Bad, the adversary interacts with a perfect simulation of 
random oracles and signcryption/unsigncryption oracles. This gives us 

Pr[S A -Bad] > \ + ^ - Pr[Bad]. (7) 

Prom (6) we obtain 
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Pr[S A -Bad] = Pr[S|-iBad] • Pr[-Bad] = | . (1 - PrfBad]). (8) 



Combining (7) with (8) gives us 

Pr[Bad] > e. (9) 

From (5) we have 

Pr[Bad] < Pr[AskG V AskH] + Pr[UBad] 

= PrfAskG] + PrfAskH V ->AskG] + Pr[UBad] 

< Pr[AskG] 4- Pr[AskH|-iAskG] + Pr[UBad]. (10) 

Together (3), (4) and (10) give us 

Pr[AskG] > € - 2~ k ° • (q h + q s ) - 2~*> . q u . (11) 

The result follows. 

4.3 IND-CCA2 Security of RSA-TBOS 

We now adapt the result of Section 4.2 to give a proof of the IND-CCA2 security 
of RSA-TBOS (as denned in Section 2.2) in the random oracle model under the 
assumption that the RSA function is one-way. 

As in Lemma 1 we will assume that there is an adversary A that runs for 
time t and has advantage e in breaking the IND-CCA2 security of RSA-TBOS 
after making at most q g , q h , q s and q u queries to G, H, the signcryption oracle 
and the unsigncryption oracle respectively. Given an RSA public key (N Bi e B ), 
with N B = P B - Q B and \P B \ = \Q B \ = k/2, and c* t we will show how A may 
be used to compute the e B -th root of c* modulo N B . 

The first step is to generate an RSA key pair (N Al e A ) 7 (N Ai d A ) with N A = 
Pa - Qa where \P A \ = \Q A \ = k/2. We use G sirn , S $im and U sim from Lemma 1, 
we replace H sim with the algorithm below. 

H 3irn (m\\r) 
If (m||r, lj, c) € L H for some return u> 
Else: 

1. w A {0,l} fc ° 

2. x «— G sirn (u>) 

3. s<-i0 ( m II r ) 

4. If s\\w > N A , goto 1 

5. c' <- (s\\u>) d * m °d N A 

6. Ifd>N B , c'^c'-2 k - 1 

7. c <- c ,eB mod N B 

8. Add (m\\r,u>,c) to L H 

9. Return u 

The event Bad is denned as in (5) in the proof of Lemma 1. In our simulation 
here we are again going to supply A with c* as the challenge ciphertext. This 
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gives us an extra consideration in our simulation. We say that our simulation is 
Good if (i) c* dB mod N B < N A and (ii) gcd(c* dB mod N Bl N A ) = 1. Over the 
random choices of (Nb^b) c* and Na we have Pr[(i)] = 1/2 and 

Pr[(ii)|(i)] > 1 - 2-( fc / 2 ) + ( 3 /2) } hence 

Pr[Good] > (2" 1 - 2-$+i). (12) 

Consider (4) in the proof of Lemma 1 for Abstract TBOS. For RSA-TBOS there 
are two possibilities for a ciphertext to be valid and so we have 

Pr[UBad] <2~ (fcl - 1 > ■ q u . (13) 

We may now use a similar argument as that used to derive (11) in the proof of 
Lemma 1 to give us 

Pr[AskG|Good] > e - 2~ k ° - (q h + q 6 ) - 2-< fcl " 1 > ■ q u (14) 
in our new simulation. We are interested in the event AskG A Good. We have 

Pr[AskG A Good] = Pr[AskG|Good] • Pr[Good]. (15) 
Together (12), (14) and (15) tell us 

Pr[AskG A Good] > (2~ x - 2"* + = ) - (e - 2~ fco • (q h + q 8 ) - 2^ k ^ • q u ) = 8. 

(16) 

Now, in the event AskG A Good we recover a set Lq of size 

Q = Qg + Qh + qs, (17) 

containing the k± least significant bits of z<J where (zQ dA mod NaY b mod N B = 
c*. Call these bits u>o- 

Once we have run our simulation once with challenge ciphertext c* and ob- 
tained Lg we do the following: 

For i — 1, ...,«/ — 1: 

cj A e - ol\ b mod N B 

Run the simulation with challenge ciphertext c* 
keeping a list Ld for G query /response pairs 

For i = 1, . . . , v — 1 after each run we end up with a list of size q containing 
the k\ least significant bits of Zq • Pi mod Na where Pi = a* A mod Na with 
probability at least that of AskGAGood as given in (16). Now, if each of the i/ runs 
of our simulation were successful, we have u 0 G Lg,wi € Lq x , - • - ,Uv-i 6 £g„_i 
such that z^=o; 0 + 2 fci -xo mod N A 

pi-z£ =Ui + 2 kl • Xi mod N A for i = 1, . . . , v - 1 (18) 

where Zq and xq, ■ • • } are unknown. Now, for i = 1, . . . , v — 1 let 
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7i = 2 kl - (0icj o - a;*) mod JV A . (19) 
Prom (18) and (19) we derive the following for i = 1, . . . , 1/ - 1 

Xi- 0i'XQ = n mod N A . (20) 
We have the following lemma from [9]. 

Lemma 2. Suppose 2*- 1 < jV^ < 2*, A* > 64 and k/(k 1 ) 2 < 2" 6 . // toe set of 
equations (20) has a solution x = (x 0 , . . . ,x u -i) such that < 2 k ' k \ then 

for all values of/3={0 u ..., p u _ l ) } except for a fraction 

2f(fc-*i+2/+2) 

jyj=I (21) 

of them, this solution is unique and can be computed in time polynomial in v 
and in the size of N A . 

It is also shown in [8] that taking v = r(5*)/(4*i)1 gives 

2*/-(A-fci+i/+2) 



TV 



< 2" fc/8 . (22) 



If we have 1/ successful runs of our simulation we still do not know which elements 
of the Z G 's form the equations (20) and so to use this method we will have to 
apply the Lemma 2 algorithm q" times. Once we have a solution to (20) we know 
z o such that c* = ((zZ dA mod N A )) e * mod N B . Prom this we may use d A to 
compute z*, the e B -th root of c*, as 

z* = zf A mod N A . (23) 
Now, from (16), (20), (22), (23) and Lemma 2 we obtain the result below. 

Theorem 2. Let A be an adversary that uses a CCA2 attack to attempt to break 
RSA-TBOS with security parameter k. Suppose that A succeeds with probability e 
in time t after making at most q g , q h , q s andq u queries to G, H , the signcryption 
oracle and the unsigncryption oracle respectively. In the random oracle model for 
G and H we may use A to invert RSA with probability e' in time t' where 

e' > 6 V - 2~* /s , 

< v • t + (q g + q h + qm y . po ly(k) + 2 . v - (q h + q a ) - T 9 

v = {(5k)/(4ki)], and T is the time it takes for a modular exponentiation. 

Note that as is the case in the proofs of security for RSA-OAEP [12], and PSS 
with standard RSA [8], our reduction is far from tight. Consequently, for the 
proof of security to be meaningful, we recommend using 2048-bit RSA moduli. 
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5 Unforgeability of RSA-TBOS 



Before we give our security result we must discuss exactly what constitutes a 
forged RSA-TBOS signcryption. Suppose that we have a user of RSA-TBOS 
with public key (Nb^b)- This user can produce a random c 6 and claim 
to have forged a signcryption from user who owns key {Na^a)- Without know- 
ing (NbiCLb) it would not be possible to verify this claim. A forged signcryption 
by the owner of (Nb^s) must therefore be presented by following the unsign- 
cryption procedure up until stage 2, c' may then be given to a third party who 
can verify its validity. 

Let us suppose that we have an RSA public key (Na, ^a) and c € whose 
e^-th root we wish to compute. We show in the appendix how to use A, a forging 
adversary of RSA-TBOS, to do this. This gives the result below. 

Theorem 3. Let A be an adversary attempting to forge RSA-TBOS signcryp- 
tions. Let k be the security parameter of RSA-TBOS. Suppose that A succeeds 
with probability e in time t after making at most q g , qh and q s queries to G, H 
and the signcryption oracle respectively. In the random oracle model we may use 
A to invert RSA with probability e' in time t' where 

e' > € - q s • (2-< fc ° +1 > • (2q h + * - 1) + 2"<^ +1 ) - (2q g + 2q h + q s - 1)) 

_2-(*i+D . Qh . ( 2 q g + q h + 2q s - 1), 
t' < t + (q h + 2q s ) - T\ (24) 

where T is the time it takes for a modular exponentiation. 
6 Conclusion 

We have proposed provably secure signcryption scheme based on the RSA func- 
tion. This scheme is attractive in that it produces very compact signcryptions 
with little extra computational cost. Also, our scheme offers non-repudiation in 
a very simple manner. 

In the future it would be interesting to adapt these ideas to produce a scheme 
that is provably secure under the stronger definitions of security proposed for 
signcryption in [3]. It is also important to investigate the possibility of a padding 
scheme for which there exists a tighter security reduction. 
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Proof of Theorem 2 



Our proof technique is similar to one used in [7], We axe going to run the 
adversary A in a simulated environment. We first describe or simulation before 
analysing how it could fail and showing how it could be used to invert the RSA 
function. 

Our simulation must respond ,4's queries to the random oracles G and H and 
the signcryption oracle. We denote the algorithms to do this G sirn , H sim , and 
Ssim respectively and we describe them below. To make our simulations sound 
we keep two lists L G and L H that are initially empty. The list L G will consist of 
query/response pairs. At the end of the simulation we hope to find the partial 
preimage of c* among queries in L G . 



G a im (lj) 
If (lj, x) € L G for some x: 

Return x 
Else: 

x {0,l} n + k ° 
Add (u;, x) to L G 
Return x 

H sim {m\\r) S sirn (m\\r, (N B ,e B )) 

If (m||r,u;, -) € L H for some u: x Z* Na 

Return v y x e A A mod Na 

Else: Parse y as s\\uj 

x A Z n a Add (m||r, lj, - -) to L H 

z 4- x«* mod N A Add (u>, 5 0 (m\\r)) to L G 

y <- c*z mod N A If x > N By x +~ x ~ 2 k ~ 1 

Parse y as s\\uj c ^-x eB mod N B 

Add (m| jr, w, x, y, z) to L H Return c 

Add (to, s e (m||r)) to Z, G 
Return lj 

Let us now analyse our simulation. Consider events that would cause the adver- 
sary's view in our simulated run to differs from it's view in a real attack. Such 
an event could be caused by an error in G $irn , H 8im or S 8im . We let AskG be the 
event that there is an error in G si7n and define AskH and SBad analogously. 
It is easily verified that 



Pr[AskG] = 0. (25) 

An error in H sim will only occur if it attempts to add (w, s®(m\\r)) to L G when 
G(oj) is already defined. We conclude that 

9h-l 

Pr[AskH] <2-*'. + 

= 2-( fc ' +1 > • q h . (2q g + g h + 2q s - 1). ( 26 ) 
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An error in S sim will occur if it attempts to add (m||r,o;, —,—,—) to Lr when 
H{m\\r) is already defined. The only other possibility for an error in S S im is 
attempting to add (lj,s © (m||r)) to L G when G{uj) is already defined. We 
conclude that 

Pr[SBad] < 2"*° • ( ]T + 0) + S"* 1 + + **)) 

= g 3 • (2-< fc0+1 > - (2 9h + g s - 1) + 2~<* 1+1 > - (2<fc + 2^ + <j s - 1)) . 

(27) 

We also define the event FBad to be that when A outputs a valid forged sign- 
cryption c on some message m, but m\\r was never a query to H 3im . Clearly we 
have 

Pr[FBad] < 2"* 1 . (28) 

'We define the event Bad to be 

Bad = AskG V AskH V SBad V FBad. (29) 

Let us consider the event A wins A -iBad in our simulated run of A. If this 
event occurs then A outputs a forged signcryption c of some m such that 
(m\\r,w>x,y,z) € Lh for some r,u),x,y,z. Now, looking at the construction 
of H si m we see that we have 

(c/x) eA = (y/x'A) = (y/z) = (c*z/z) = c* mod N A . (30) 

Therefore (c/x) mod N A is the e>i-th root of c* modulo N A as required. We 
denote the event that we manage to find the e^-th root modulo N A of c* by 
invert. We see from (30) that 

Pr[lnvert] flim > Pr[,A wins A -nBad] 5im , (31) 

where the subscript sim denotes the fact that these are probabilities in our 
simulated run of A. We will denote probabilities in a real execution of A with 
the subscript real. Prom (31) and the definition of Bad we see that 

Pr[lnvert] 5im > Pr[.4 wins A -.Bad] rea * > Pt[A wins] re aZ - Pr[Bad] reai . (32) 
The result now follows from (25), (26), (27), (28), (29) and (32). 
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CLAIMS 



1. A method by which a first computing entity having an RSA key pair (N A ,e A ), 
(N A ,d A ) digitally signs and encrypts a message data string, m, for decryption by a 
second computing entity having an RSA key pair (N B , e B ), (N B , d B ), where |N A | = |N B | 
= n and m e {0,1} n , and k = n + &b + k\ for integers A<) and k\ even, the method 
comprising: 

a) selecting an integer r e {0,1}*° , 

b) forming the hash co = H(m \\ r) where H : {0,l} n+ *° {0,1}*' , and 

c) forming the hash s = G(co) © (m \\ r) where G : {0,1}*' -> {0,l} n+ *° ; steps a) 
to c) being repeated as necessary to obtain s \\ co < Na ; and then 

d) signing by forming c 1 = (s \\ cof* mod N A ; and, if c 1 > N B , 
removing the most significant bit of c' to obtain a new c'; and then 

e) encrypting c' by forming c = c 1 * 8 mod N B . 

2. The method as claimed in claim 1 in which r is selected at random. 

3. A method by which a first computing entity having an RSA key pair (N A5 e A ), 
(N a 4a) digitally signs and encrypts a message data string, m, for decryption by a 
second computing entity having an RSA key pair (N B , Ob), (Nb, d B ), where [N A | = |N B | 
= n and m e {0,1}* , and k = n + ko + k\ for integers k 0 and k } even, the method 
comprising: 

a) selecting an integer r e {0,1}*° , 

b) forming the hash co = H(m \\ r) where H : {0,l}" + *° ^ {0,1}*' , and 

c) forming the hash s = G(co) © {m \\ r) where G : {0,1}* 1 {0,l} w+ "° , steps a) 
to c) being repeated as necessary to obtain s \\ co < Na ; and then 

d) signing by forming c ? = (s \\ c6f A mod TV A ; steps a) to d) being repeated as 
necessary to obtain c' <N B \ and then 
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e) encrypting c' by forming c = c ,e * mod N B . 

4. The method as claimed in claim 3 in which r is selected at random. 

5. A computing entity comprising: 
a data processing equipment 

a memory; and 

a communications equipment, 

said data processing equipment being configured so as to be capable of 
processing data according to a set of instructions stored in said memory: 

said communications equipment configured so as to communicate data 
according to said set of instructions; 

said set of instructions being such as to configure the computing entity to be 
capable of carrying out the computer implemented steps of the first computing entity 
of any one of claims 1 to 4. 

6. A computer storage medium having stored thereon a computer program 
readable by a general-purpose computer, the computer program including instructions 
for said general purpose computer to configure it to be as the computing entity of 
claim 5. 

7. A computing entity arranged to digitally sign and encrypt a message substantially 
as hereinbefore described. 

8. A method of digitally signing and encrypting a message substantially as 
hereinbefore described. 

9. A computer storage medium having stored thereon a computer program readable 
by a general-purpose computer, the computer program including instructions for said 
general purpose computer to configure it to be as a computing entity substantially as 
hereinbefore described. 
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ABSTRACT (Ref Fig 3) 

DIGITAL MESSAGE ENCRYPTION AND AUTHENTICATION 



A method by which a first computing entity having an RS A key pair (N A ,e A ), (N A ,d A ) 
digitally signs and encrypts a message data string, m, for decryption by a second 
computing entity having an RSA key pair (N B , e B ), (N B , d B ), where |N A | = |N B | = n and 
m e {0,1}" , and k = n + ko + k\ for integers and k\ even, the method comprising: 

a) selecting an integer r e {0,1}*° , 

b) forming the hash co = 77 (m || r) where # : {0,l}" + *° -> {CI}* 1 , and 

c) forming the hash s = G(^) 0 || r) where G : {CU}* 1 -> {CI}"** 6 ; steps a) 
to c) being repeated as necessary to obtain s \\ a> < Na ; and then 

d) signing byforming c' = (s || cof* mod^; and, if c' > N B , 
removing the most significant bit of c 5 to obtain a new c'; and then 

e) encrypting c' by forming c = c ye * mod N B . 

This signcryption scheme based on RSA and is proven secure in the random oracle 
model [6] for its privacy and unforgeability. The proofs are under the assumption 
that inverting the RSA function is hard. The scheme produces compact ciphertexts as 
well as offering non-repudiation in a very straightforward manner. 
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